diff --git a/backport-CVE-2024-40898-merge-leading-slashes-by-default.patch b/backport-CVE-2024-40898-merge-leading-slashes-by-default.patch
new file mode 100644
index 0000000000000000000000000000000000000000..343ddc9cc50bf1ef927d82d10e51a4f57d4889d1
--- /dev/null
+++ b/backport-CVE-2024-40898-merge-leading-slashes-by-default.patch
@@ -0,0 +1,52 @@
+From b1560d34a37681ebc18baa78588579ed87f9da70 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 15 Jul 2024 12:05:57 +0000
+Subject: [PATCH] merge leading slashes by default
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919246 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/mappers/mod_rewrite.c   | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 0d928e4b99..439af886ba 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -179,6 +179,7 @@ static const char* really_last_key = "rewrite_really_last";
+ #define RULEFLAG_ESCAPECTLS         (1<<21)
+ #define RULEFLAG_UNSAFE_PREFIX_STAT (1<<22)
+ #define RULEFLAG_UNSAFE_ALLOW3F     (1<<23)
++#define RULEFLAG_UNC                (1<<24)
+ 
+ /* return code of the rewrite rule
+  * the result may be escaped - or not
+@@ -3884,6 +3885,9 @@ static const char *cmd_rewriterule_setflag(apr_pool_t *p, void *_cfg,
+         else if(!strcasecmp(key, "nsafeAllow3F")) {
+             cfg->flags |= RULEFLAG_UNSAFE_ALLOW3F;
+         }
++        else if(!strcasecmp(key, "NC")) {
++            cfg->flags |= RULEFLAG_UNC;
++        }
+         else {
+             ++error;
+         }
+@@ -4508,6 +4512,16 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
+         return RULE_RC_MATCH;
+     }
+ 
++    if (!(p->flags & RULEFLAG_UNC)) {
++        /* merge leading slashes, unless they were literals in the sub */
++        if (!AP_IS_SLASH(p->output[0]) || !AP_IS_SLASH(p->output[1])) {
++            while (AP_IS_SLASH(r->filename[0]) &&
++                   AP_IS_SLASH(r->filename[1])) {
++                r->filename++;
++            }
++        }
++    }
++
+     /* Finally remember the forced mime-type */
+     force_type_handler(p, ctx);
+ 
+-- 
+2.25.1
+
diff --git a/httpd.spec b/httpd.spec
index 88d8d832cb6b331b83a262c014874945310e6e58..c59aa5cb51d8bf0e7a70f5af692d09cf46839873 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.58
-Release:          9
+Release:          10
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -94,6 +94,7 @@ Patch40:          backport-Fix-the-handling-of-the-stickysession-configuration-p
 Patch41:          backport-Fix-possible-crash-on-error-path.patch
 Patch42:          backport-Check-SSL_CTX_new-return-value.patch
 Patch43:          backport-Report-invalid-Options-argument-when-parsing-AllowOverride-directives.patch
+Patch44:          backport-CVE-2024-40898-merge-leading-slashes-by-default.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -531,6 +532,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Jun 24 2025 wangxiaomeng <wangxiaomeng@kylinos.cn> - 2.4.58-10
+- Type:CVE
+- ID:CVE-2024-40898
+- SUG:NA
+- DESC:fix CVE-2024-40898
+
 * Wed Apr 16 2025 xingwei <xingwei14@h-partners.com> - 2.4.58-9
 - Type:bugfix
 - CVE:NA